b'September 2009\nReport No. EVAL-09-008\n\n\nControls over Contracts Related to\nResolution and Receivership Activities\n\x0c                                                                                                   Executive Summary\n                                                                                               Report No. EVAL-09-008\n                                                                                                       September 2009\n\n                                           Controls over Contracts Related to Resolution and\n                                           Receivership Activities\n\n                                           Results of Evaluation\n\n                                           The FDIC has controls in place to award and manage resolution and\nBackground and Purpose                     receivership-related contracts, including procurement procedures,\nof Evaluation                              minimum standards for contractor fitness and integrity, background\nStarting in 2008, the FDIC began           investigations of contractor employees, and FDIC oversight manager\nexperiencing a significant increase in     (OM) and technical monitor (TM) designations and training.\nthe number and size of institution\nfailures as compared to previous           Notwithstanding these efforts, we noted that the FDIC did not always\nyears. This activity has resulted in a     complete background investigations for contractor personnel, OM and TM\nsignificant increase in the workload       workloads varied and were sometimes challenging, and OMs generally did\nfor the FDIC\xe2\x80\x99s Division of                 not prepare contract management plans or find them to be useful. We also\nResolutions and Receiverships              identified contract file documentation weaknesses in contracts that we\n(DRR) and a corresponding increase         reviewed. DRR\xe2\x80\x99s internal review efforts have identified similar findings.\nin the reliance on contractors to          DRR and DOA management have taken action to address these issues.\naddress failing and failed institutions.\nFor example, through June 30, 2009,        DRR and DOA have also taken action to mitigate risks associated with a\nthe FDIC had awarded over                  significant increase in contracting activity, including increasing authorized\n$1 billion in contracts, of which\n                                           procurement-related staff, creating oversight manager refresher training,\n98 percent were DRR-related.\n                                           establishing DRR contract support functions in the Dallas Regional Office,\nDRR relies on Receivership                 and establishing a corporate-level contracting project management office.\nAssistance Contractors (RAC) to\nprovide a full range of closing            While these actions are positive, FDIC management and personnel\nsupport functions. DRR also hires          involved in the procurement process must remain vigilant to ensure that\nfirms for other services, including        contractors perform work consistent with contract terms and maintain\nfinancial advisory, asset                  sufficient documentation to preserve a complete history of contract-related\nmanagement, and loss share                 decisions and outcomes. Additionally, the success of the FDIC\xe2\x80\x99s contract\nagreement oversight.                       administration and oversight management is dependent on maintaining\n                                           sufficient resources to address contracting administration needs and\nThe Division of Administration             ensuring individuals are fully-trained and understand their responsibilities.\n(DOA) provides contracting support         Because DRR and DOA have taken or are planning to take steps to\nto the FDIC and plans, solicits, and       address issues we identified during our review, we are not making\nmanages FDIC contracts through             recommendations.\ncompletion.\n                                           Although this report did not contain recommendations, management was\nThe objective of the evaluation was        given the opportunity to comment. Management elected not to provide\nto identify and evaluate controls in       written comments.\nplace to address the risks presented\nby a significant increase in resolution\nand receivership-related contracting\nactivity.\n\n\nTo view the full report, go to\nwww.fdicig.gov/2009reports.asp\n\x0c                                TABLE OF CONTENTS\n\n\nEVALUATION OBJECTIVE AND APPROACH                                               1\n\nBACKGROUND                                                                      2\n\nEVALUATION RESULTS                                                              4\n    Established Controls                                                        4\n           FDIC\xe2\x80\x99s Minimum Fitness and Integrity Standards                        5\n           Background Investigations                                             7\n           Oversight Management                                                 10\n    Actions Taken to Mitigate Risks Associated with\n    Increased Contracting Activity                                              14\n           Increased Authorized Staff                                           14\n           Created an OM Refresher Training Course                              15\n           Established DRR Contract Support Functions                           15\n           Established Corporate-level Contracts Project Management Office      15\n\nCONCLUSION AND MATTERS FOR CONTINUED ATTENTION                                  16\n\nAPPENDIX I: Objective, Scope, and Methodology                                   17\nAPPENDIX II: Global E-mail \xe2\x80\x93 Guidelines for Interacting with FDIC Contractors   19\n\nTABLES\n    Table 1: FDIC\xe2\x80\x99s Policy and Procedures Related to Minimum Fitness            5\n             and Integrity Standards\n    Table 2: Conflict of Interest Waiver Activity                                7\n    Table 3: FDIC\xe2\x80\x99s Policy and Procedures Related to Contractor Security         8\n    Table 4: FDIC\xe2\x80\x99s Policy and Procedures Related to Oversight Management       10\n    Table 5: OIG Analysis of OM Workload                                        12\n    Table 6: Contracts Sampled by OIG                                           18\n\nFIGURES\n    Figure 1: DRR Contracting Activity                                          2\n    Figure 2: Functional Areas of RAC Contractors                               3\n\x0c                       ACRONYMS IN THE REPORT\n\n\nAPM      Acquisition Policy Manual\nASB      Acquisition Services Branch\nCEFile   Contract Electronic File\nCLU      Contracting Law Unit\nCMP      Contract Management Plan\nCU       Corporate University\nDOA      Division of Administration\nDRR      Division of Resolutions and Receiverships\nGAO      Government Accountability Office\nMSB      Management Services Branch\nNFE      New Financial Environment\nOERM     Office of Enterprise Risk Management\nOIG      Office of Inspector General\nOM       Oversight Manager\nORE      Owned Real Estate\nPGI      Procedures, Guidance, and Information\nRAC      Receivership Assistance Contract\nRBOA     Receivership Basic Ordering Agreement\nRFP      Request for Proposal\nRTC      Resolution Trust Corporation\nSEPS     Security and Emergency Preparedness Section\nTM       Technical Monitor\n\x0cFederal Deposit Insurance Corporation                                                                 Office of Evaluations\n3501 Fairfax Drive, Arlington, Virginia 22226                                                  Office of Inspector General\n\n\n\nDATE:                                           September 30, 2009\n\nMEMORANDUM TO:                                  Mitchell L. Glassman, Director\n                                                Division of Resolutions and Receiverships\n\n                                                Arleas Upton Kea, Director\n                                                Division of Administration\n\n\n                                                [Signed]\nFROM:                                           E. Marshall Gentry\n                                                Acting Assistant Inspector General for Evaluations\n\nSUBJECT:                                        Controls over Contracts Related to Resolution and Receivership\n                                                Activities (Report No. EVAL-09-008)\n\n\nThis report presents the results of our evaluation of controls over contracts related to resolution\nand receivership activities. In 2008, the FDIC began experiencing a significant increase in the\nnumber and size of institution failures as compared to previous years, which has resulted in a\nsignificant increase in the workload for the FDIC\xe2\x80\x99s Division of Resolutions and Receiverships\n(DRR) and a corresponding increase in the reliance on contractors to address failing and failed\ninstitutions. The Government Accountability Office (GAO) has reported that an increased\nreliance on contractors can increase the risk of fraud, waste, and abuse absent effective controls\nand vigilant oversight.\n\nEVALUATION OBJECTIVE AND APPROACH\nThe objective of the evaluation was to identify and evaluate controls in place to address the risks\npresented by a significant increase in resolution and receivership-related contracting activity. To\naddress this objective, we:\n\n\xe2\x80\xa2     Reviewed prior Office of Inspector (OIG) and GAO reports to identify areas of potential risk\n      associated with contracting activity. Although we recognize that the organizations and\n      circumstances differ, we also reviewed Resolution Trust Corporation (RTC) OIG semiannual\n      reports to the Congress to identify contracting issues that existed during the last period of\n      significant resolution activity;\n\n\xe2\x80\xa2     Reviewed controls established and actions being taken or planned by the FDIC to mitigate\n      risks, including internal resource considerations;\n\n\xe2\x80\xa2     Evaluated the implementation of controls associated with contract administration and\n      oversight management by reviewing a judgmental sample of five DRR contracts.\n\n\n                                                                 1\n\x0cFor the purpose of this evaluation, we focused on risks associated after contracts were awarded\nbecause at the time we were planning our work, DRR was relying on contracts that were already\nin place. Accordingly, we focused on potential risks associated with fitness and integrity\nrequirements, the background investigation process, and the FDIC\xe2\x80\x99s contract administration and\noversight management function. Initially, the scope of our review was to include Legal Division\ncontracting activity, but we decided to focus the review on DRR contracting activity, given the\nlevel of such activity in DRR. We performed our evaluation between December 2008 and June\n2009 in accordance with the Quality Standards for Inspections. Details on our objective, scope,\nand methodology are provided in Appendix I.\n\nBACKGROUND\nDuring 2008, 25 FDIC-insured institutions with assets of $372 billion failed, 1 the largest number\nof failures since 1993 when 41 institutions with combined assets of $3.8 billion failed (excluding\nthrifts resolved by the RTC). Through September 2009, 95 FDIC-insured institutions with\ncombined assets of $104.4 billion have failed. To address the increased workload, DRR\xe2\x80\x99s use of\ncontractor resources has increased. This approach is consistent with the Corporation\xe2\x80\x99s\nestablished business model for resolutions and receivership management, which relies on\ncontractors and staff on time-limited appointments to handle major upticks in workload.\n\nThe Division of Administration (DOA), Acquisition Services Branch (ASB), provides\ncontracting support to all FDIC divisions except the Legal Division.2 The acquisition team\nincludes the contracting officer, contracting specialist, and other support staff in ASB; the\nresponsible officials in the program office, including the oversight manager (OM) and technical\nmonitor (TM); the Legal Division Contracting Law Unit (CLU); and, as appropriate, the\nsupporting officials and staff in the Office of Diversity and Economic Opportunity, and ASB\nPolicy and Operations Staff.\n\nIn 2008, FDIC contract awards totaled $651.8\nmillion as compared to $345.4 million in                          Figure 1: DRR Contracting Activity\ncontracts in 2007, which represented an increase                        DRR Contract Awards 2007-2009\nof approximately 89 percent. As of                                    $1,200\nJune 30, 2009, the FDIC had already awarded                           $1,000\nover $1 billion in contracts. Figure 1 illustrates                      $800\nthe increase in DRR contracting since 2007,                            $600\nwhich accounts for 98 percent of the                                   $400\nCorporation\xe2\x80\x99s contracting activity during 2009.                        $200\n                                                                          $0\nAccording to information provided by ASB,                                      2007    2008     2009\nDRR awarded approximately $395.3 million or\n61 percent of the total contracts for the                                      DRR Contracts in Millions\nCorporation in 2008. This was compared to\n                                                                  Source: DOA.\n$37.9 million, or 11 percent of the total contracts               Note: 2009 data as of June 30, 2009.\nfor the Corporation in 2007.\n\n1\n    This amount includes Washington Mutual Bank which had assets of $307 billion at the time of failure.\n2\n    The Legal Division has its own process for awarding and managing Legal Services Agreements.\n\n\n                                                          2\n\x0cWith regard to DRR contracting, the FDIC is using Receivership Basic Ordering Agreements\n(RBOAs) to expedite the acquisition of goods and services in support of failing or failed\nfinancial institutions. An RBOA is similar to a Basic Ordering Agreement in all respects except\nit is limited to awards in support of DRR and is not assigned a monetary value or a contract\nceiling amount. Instead, dollar value ceiling controls are established at the task order level,\nallowing DRR the ability to formulate requirements and resultant cost estimates as needs become\nbetter defined.\n\nOne of the principal RBOAs that DRR relies upon, the Receivership Assistance Contract (RAC),\nincludes the full range of closing support functions as indicated in Figure 2. 3 In addition, DRR\nhas other contracts in the following areas:\n\n\xe2\x80\xa2   Owned Real Estate (ORE) Management and                     Figure 2: Functional Areas of RAC\n    Marketing Services                                         Contractors\n\xe2\x80\xa2   National Valuation (Appraisal) Services\n\xe2\x80\xa2   E-Banking Advisory/Support Services\n\xe2\x80\xa2   Credit Card Consulting                                       \xe2\x80\xa2   Facilities          \xe2\x80\xa2 Financial Closing\n\xe2\x80\xa2   Shared Loss Basic Ordering Agreement                         \xe2\x80\xa2   Asset Management      Process\n\xe2\x80\xa2   Temporary Employment Services                                \xe2\x80\xa2   Claims              \xe2\x80\xa2 Personnel\n\xe2\x80\xa2   Secured Web Site                                             \xe2\x80\xa2   Investigations        Administration\n                                                                 \xe2\x80\xa2   Settlement          \xe2\x80\xa2 Franchise\n\xe2\x80\xa2   Business Information Systems                                 \xe2\x80\xa2   Employee Benefit      Marketing\n\xe2\x80\xa2   Due Diligence Services                                           Plans               \xe2\x80\xa2 Branch\n\xe2\x80\xa2   Environmental Due Diligence/Site Assessment                                            Management\n    Services                                                                             \xe2\x80\xa2 Trust\n\xe2\x80\xa2   Financial Advisory Services\n                                                               Source: DRR Resolutions Contracting\n\xe2\x80\xa2   Loan Servicing\n\xe2\x80\xa2   Web-Based Marketing\n\xe2\x80\xa2   Call Center activities\n\nOn June 11, 2009, ASB officials told us that DRR also has RBOA requests for proposals out for\nbid on the following:\n\n\xe2\x80\xa2   Financial Advisor for Securities Sales\n\xe2\x80\xa2   Financial Advisor for Loan Sales (replaces existing contract which is expiring)\n\xe2\x80\xa2   Financial Advisor for Mortgage Servicing Rights\n\xe2\x80\xa2   Due Diligence (replaces existing contract which is expiring)\n\xe2\x80\xa2   Loss Share Agreement Oversight\n\xe2\x80\xa2   Loan Servicing Oversight\n\xe2\x80\xa2   Title\n\xe2\x80\xa2   Assignments\n\xe2\x80\xa2   Trustee\n\xe2\x80\xa2   Custodian\n\xe2\x80\xa2   Subsidiary Management (replaces existing contract which is expiring)\n\xe2\x80\xa2   ORE (to add additional firms)\n\n3\n Under RAC I, the FDIC had engaged four contractors. In January 2009, the FDIC completed a second solicitation\nfor four additional contractors and refers to this RBOA as RAC II.\n\n\n                                                      3\n\x0cEVALUATION RESULTS\n\nEstablished Controls\n\nIn August 2008, ASB issued revised policies and procedures for the acquisition of goods and\nservices. The policies and procedures in the Acquisition Policy Manual (APM), 4 and the\naccompanying Procedures, Guidance, and Information (PGI) apply to all procurement actions\nawarded in the corporate, receivership, or conservatorship capacity. The revised manual and\nguidelines were not done in response to the increase in DRR contracting activities; rather, the\nissuance of the revised manual was the result of a multi-year DOA effort to update the policies\nand guidelines to reflect ASB\xe2\x80\x99s current policies and procedures, procurement-related systems,\nand ASB organizational changes. 5\n\nThe FDIC\xe2\x80\x99s revised policies include:\n\n\xe2\x80\xa2   an introduction to the RBOA,\n\xe2\x80\xa2   a discussion of special issues surrounding receivership contracting, and\n\xe2\x80\xa2   a description of the OM and TM nomination and appointment process.\n\nIn addition, emergency and expedited contracting procedures 6 have also been developed for\nmeeting the contracting needs related to financial institution failures when insufficient time is\navailable to follow established contracting procedures. The APM states that DRR and ASB rely\non advanced planning to reduce the need for expedited or emergency contracting procedures to\naward contracts, and expedited and emergency procedures are not to be used when there is\nsufficient time to follow established contracting procedures. The APM further states that in\norder to obtain the goods and services needed to support DRR efforts in relation to the\nanticipated closing of an institution, Contracting Officers must use existing contracts to the\nmaximum extent possible.\n\nAs related to our objectives, the APM and PGI establish controls designed to ensure contractors\nmeet fitness and integrity standards and receive required background investigations\ncommensurate with risk designation. In addition, the APM and PGI provide a framework for\nmanaging and overseeing the contractor\xe2\x80\x99s performance. As discussed further below, the APM\nand PGI establish policies and procedures, and define roles and responsibilities of the acquisition\nteam related to these areas.\n\nA GAO report entitled, Framework for Assessing the Acquisition Function at Federal Agencies, 7\nstates that clear and current procedures help to ensure that management\xe2\x80\x99s directives and\n\n4\n  Circular 3700.16, FDIC APM, dated August 22, 2008.\n5\n  An OIG report entitled, FDIC\xe2\x80\x99s Contract Administration, Report No. 06-026, dated September 2006, included a\nrecommendation regarding the completion of the policy update.\n6\n  These expedited procedures focus on providing optimum contracting support for DRR\xe2\x80\x99s critical mission, while\nusing competition to award contracts to the extent possible. Emergency procedures should be used when time\nconstraints do not allow for use of expedited or normal contracting procedures.\n7\n  GAO-05-218G, dated September 2005.\n\n\n                                                       4\n\x0cintentions are carried out. Policies and processes embody the basic principles that govern the\nway an agency performs the acquisition function. Ideally, policies and processes clearly define\nthe roles and responsibilities of agency staff, empower people across the agency to work together\neffectively to procure desired goods and services, and establish expectations for stakeholders to\nstrategically plan acquisitions and proactively manage the acquisition process. To be effective,\npolicies and processes must be accompanied by controls and incentives to ensure they are\ntranslated into practice. Policies and processes that do not address these objectives contribute to\nmissed opportunities to achieve savings, reduce administration burdens, and improve acquisition\noutcomes.\n\nFDIC\xe2\x80\x99s Minimum Fitness and Integrity Standards\n\nThe APM sets policy and minimum standards of contractor integrity and fitness that must be\nfollowed. The FDIC does not contract for services with anyone who has committed an act\ndeemed to be a disqualifying condition. The APM specifically does not allow the FDIC to enter\ninto, or continue contracts with individuals or organizations that present an unmitigated conflict\nof interest. If a conflict of interest exists, it precludes a contractor from performing the contract\nunless the conflict is waived by the FDIC or the contractor eliminates it.\n\nA conflict of interest can be either individual or organizational. Frequent conflicts arise when a\npersonal, business, or financial interest of a contractor or its employee or subcontractor is such\nthat the contractor\xe2\x80\x99s judgment and loyalty in performing services for the FDIC might be\ncompromised by concerns for pursuit of its own interest. Other conditions that create a conflict\nof interest include (1) involvement in litigation adverse to the FDIC as a party or representative\nof a party; (2) offering to buy an asset from the FDIC for which services were performed in the\n3 years prior to the offer, unless provided for in the contract for services; or (3) engaging in an\nactivity that would cause the FDIC to question the integrity of the services a contractor has\nperformed, is performing, or offers to perform. Table 1 summarizes the FDIC\xe2\x80\x99s policies and\nprocedures related to fitness and integrity designed to mitigate associated risk.\n\nTable 1: FDIC\xe2\x80\x99s Policy and Procedures Related to Minimum Fitness and Integrity Standards\n   Potential Risk Area                      FDIC Policy                                Procedures\nContractor does not meet         The FDIC expects all contractors and     \xe2\x80\xa2   Contractor submits completed FDIC\nminimum fitness and integrity    subcontractors to perform using the          Integrity and Fitness Representations\nor FDIC eligibility standards.   highest ethical standards, reflecting        and Certifications.\n                                 the integrity necessary to support and   \xe2\x80\xa2   Contracting Officer is responsible for\n                                 retain public trust and confidence in        reviewing the integrity and fitness\n                                 the acquisition process. The ethical         representations and certifications\n                                 standards to which the FDIC holds its        submitted to identify any issues\n                                 contractors and subcontractors are           related to eligibility.\n                                 delineated in 12 CFR \xc2\xa7366.\n\n\n\n\n                                                        5\n\x0cTable 1: FDIC\xe2\x80\x99s Policy and Procedures Related to Minimum Fitness and Integrity Standards\n(Continued)\n  Potential Risk Area                    FDIC Policy                                 Procedures\n                              The FDIC does not contract for            \xe2\x80\xa2   Contracting Officer refers any\n                              services with anyone who has                  eligibility issues to CLU for review.\n                              committed an act deemed to be a           \xe2\x80\xa2   CLU reviews conflicts of interest\n                              disqualifying condition. The                  raised by the representations and\n                              disqualifying conditions are set out in       certifications. CLU issues a written\n                              the Federal Deposit Insurance Act at          decision of its determination.\n                              12 USC \xc2\xa71822(f)(4) and are restated       \xe2\x80\xa2   CLU also prepares the cases for\n                              in the regulations at 12 CFR \xc2\xa7366.3.          eligibility determination, waiver of\n                              They are:                                     conflicts of interest, appeals from\n                                                                            final decisions, and other documents\n                              1.   Conviction of a felony;                  for the Corporation\xe2\x80\x99s Ethics\n                              2.   Removal from or being                    Committee.\n                                   prohibited from participation in     \xe2\x80\xa2   The delegated authority to waive a\n                                   the affairs of an insured                conflict of interest, if a contractor\n                                   depository institution as a result       requests a waiver, rests with the\n                                   of a federal banking agency final        Corporation\xe2\x80\x99s Ethics Committee and\n                                   enforcement action;                      the Assistant General Counsel of the\n                              3.   Demonstration of a pattern or            Corporate and Legal Operations\n                                   practice of defalcation or               Section of the Corporate Operations\n                                   embezzlement on financial                Branch of the Legal Division.\n                                   obligations to insured depository    \xe2\x80\xa2   DOA\xe2\x80\x99s Security and Emergency\n                                   institutions; or                         Preparedness Section (SEPS)\n                              4.   Causing a substantial loss to a          conducts background checks on\n                                   federal deposit insurance fund.          contractors, subcontractors, and\n                                                                            contractor personnel at the request of\n                                                                            the Contracting Officer and OM in\n                                                                            accordance with Circular 1610.2.\n                                                                        \xe2\x80\xa2   During the term of the contract, the\n                                                                            contractor must immediately notify\n                                                                            the FDIC if any of the information\n                                                                            submitted was incorrect at the time of\n                                                                            submission, or has subsequently\n                                                                            become incorrect.\n                                                                        \xe2\x80\xa2   Contractors with disqualifying\n                                                                            conditions that arise prior to or after\n                                                                            award are required to notify the FDIC\n                                                                            in writing within 10 calendar days.\n                                                                            There are no waivers for\n                                                                            disqualifying conditions.\nSource: FDIC\xe2\x80\x99s APM and PGI.\n\nThe Corporation\xe2\x80\x99s Conflict Committee reviews conflicts for contracts awarded by ASB. This\ncommittee is made up of seven members that include representatives from various divisions and\noffices, including DOA, DRR, and a representative from the Legal Division who chairs this\ncommittee. Table 2 below shows the number of conflicts reviewed by the Corporation\xe2\x80\x99s Conflict\nCommittee for years 2007, 2008, and 2009.\n\n\n\n\n                                                      6\n\x0cTable 2: Conflict of Interest Waiver Activity\n\n                             Corporation Conflict Committee\n\n                        Number of               Number of Waiver Requests\n   Year            Conflicts Reviewed                    Denied\n   2007                      5                             2\n   2008                      7                             2\n  2009*                      0                             0\nSource: Legal Division.\n* This information is as of March 17, 2009.\n\nAside from completing the FDIC Integrity and Fitness Representations and Certifications form\nduring the solicitation phase, contractors have a responsibility to report conflicts that may arise\nafter the contract is awarded. For instance, a DRR contractor that was hired by the FDIC to\nperform work related to a failed institution wanted to represent a potential buyer of assets of the\nclosed bank. Accordingly, the contractor submitted a conflicts waiver request. The Conflicts\nCommittee determined that the day-to-day management and operation of the bank represented a\nconflict for the contractor to also represent a potential buyer of bank assets. In addition,\ncontractor employees attended various strategic meetings on how the institution assets might be\nmarketed. Thus, the waiver was denied and the contractor was not allowed to represent the\npotential buyer of bank assets.\n\nIn addition to its policy and procedures, and related training to reinforce its policy, DOA and the\nLegal Division also send periodic reminders to employees and contractors to advise them of their\nrespective ethical responsibilities. For example, in April 2009, DOA and the Legal Division sent\na global email message intended to remind employees of certain ethical and contractual\nobligations that FDIC employees must keep in mind in dealing with contractors and contractor\nrepresentatives. A copy of the global email is included in Appendix 2. Such periodic reminders\ncoupled with coverage in OM training courses serve to reinforce the FDIC\xe2\x80\x99s policy related to\nethics.\n\nBackground Investigations\n\nWe also reviewed whether background investigations 8 had been completed as required for the\ncontracts in our sample. As discussed later in this section, background investigations were not\ninitiated for DRR contract employees in all cases. If background investigations are not\nconducted on contract employees, the risk increases that someone with a criminal record or\nquestionable credit history may be hired to work for the FDIC. This can result in embarrassment\nto the Corporation or a loss of funds or assets.\n\n\n\n\n8\n  A background investigation is a generic term that describes the process SEPS completes on contractors and\ncontractor personnel to ensure they meet minimum security and fitness standards set forth by the FDIC. These may\ninclude Federal Bureau of Investigation fingerprint criminal records checks, searches of various on-line data bases,\nand credit reports. It also includes various background investigations conducted by the U.S. Office of Personnel\nManagement for the FDIC.\n\n\n                                                         7\n\x0cSignificance of Background Investigations\n\nEffective background investigations are just as important as physical security and emergency preparedness.\nWe (FDIC) can spend a million dollars on a security system to protect our people, but if we let the bad guys\nin the front door by hiring one of them, we will have defeated the entire purpose of that security system. A\nstrong background investigation program ensures that your co-worker is the type of person you want to have\nnext to you.\n\nAssistant Director, Security and Emergency Preparedness, DOA\nFDIC News, February 2009\n\n\nAs indicated in Table 3 below, Circular 1610.2, Security Policy and Procedures for FDIC\nContractors and Subcontractors, dated August 1, 2003, establishes the security policy and\nprocedures for contractors and subcontractors to do business with the FDIC. It is the policy of\nthe FDIC to provide a safe working environment for all its personnel, protect and secure FDIC\nassets, and ensure that all contractors who provide services to the FDIC meet minimum security\nand integrity and fitness standards dictated by the FDIC and its regulatory requirements.\nDOA is in the process of revising this circular in part to clarify applicability to DRR contracting.\n\nTable 3: FDIC\xe2\x80\x99s Policy and Procedures Related to Contractor Security\n   Potential Risk Area                      FDIC Policy                                Procedures\nContract employees who           The policy applies to all contracts      \xe2\x80\xa2   The Program Office is responsible for\nperform work and handle          awarded, including the following:            establishing the risk level for\nsensitive information do not     (1) all contracts for services greater       contracts or contractors as part of the\nmeet the FDIC\xe2\x80\x99s minimum          than $100,000, (2) contracts at any          planning phase for future\nsecurity requirements.           amount when contractor employees             solicitations.\n                                 will have access to FDIC facilities or   \xe2\x80\xa2   A unit within SEPS reviews the risk\n                                 network/systems, or (3) any contract         level designation.\n                                 at the discretion of the FDIC.           \xe2\x80\xa2   Pre-award: The Contracting Officer\n                                                                              is responsible for including\n                                 This policy shall not apply to               appropriate background forms in\n                                 intermittent contractors who access          solicitations.\n                                 FDIC facilities on an infrequent and     \xe2\x80\xa2   All investigations will generally be\n                                 generally unscheduled basis.                 completed before contract award.\n                                                                              However, if an award is urgent, it\n                                                                              may be made contingent upon the\n                                                                              outcome of the investigation. The\n                                                                              OM shall closely monitor the\n                                                                              contractor\xe2\x80\x99s performance if a\n                                                                              contingent award is made, and the\n                                                                              Contracting Officer will ensure that\n                                                                              all investigations are completed as\n                                                                              soon as possible following the award.\n                                                                          \xe2\x80\xa2   Post-award: No later than 5 days\n                                                                              after the contract award, the\n                                                                              contractor will provide the\n                                                                              Contracting Officer with a list of all\n                                                                              contract personnel working on the\n                                                                              contract.\n\n\n\n\n                                                         8\n\x0cTable 3: FDIC\xe2\x80\x99s Policy and Procedures Related to Contractor Security (Continued)\n    Potential Risk Area                            FDIC Policy                                      Procedures\n                                                                                    \xe2\x80\xa2    The Contracting Officer will furnish\n                                                                                         the required information to SEPS,\n                                                                                         and SEPS will provide the required\n                                                                                         forms to contractor personnel.\n                                                                                    \xe2\x80\xa2    Contractor personnel shall complete\n                                                                                         electronic fingerprint and credit\n                                                                                         check applications and will not be\n                                                                                         permitted to begin work until the\n                                                                                         results of the fingerprint reviews are\n                                                                                         completed.\n                                                                                    \xe2\x80\xa2    Upon receipt of the results of the\n                                                                                         background investigations, SEPS will\n                                                                                         notify the OM and Contracting\n                                                                                         Officer.\nSource: FDIC Circular 1610.2.\n\nThe existing circular, dated August 1, 2003, provides for some discretion with respect to DRR\ncontracts. Specifically, Circular 1610.2 states\n\n          No background investigations or fingerprint checks shall be required when a receivership\n          is created, except when a receivership is of a long-term nature, in which case all\n          contractor personnel employed thereafter shall comply with the terms and conditions for\n          contractor personnel set forth in the RFP and the contract.\n\nThe existing circular does not define \xe2\x80\x9clong-term nature.\xe2\x80\x9d This leaves the matter open to\ninterpretation and could potentially result in the policy being inconsistently applied. For\ninstance, one of the contracts we sampled awarded out of headquarters had 20 contractor\nemployees that were deployed to do work without undergoing a background investigation. At\nthe time of our fieldwork, the contractor had completed the tasks related to this contract, and the\ncontract was in the close-out process. For this task order, background investigations were\ncompleted for the contractor\xe2\x80\x99s principals as part of the pre-award process. 9 During the pre-award\nphase in May 2007, SEPS reported that:\n\n          Checks completed did not review any information that would preclude the contractor or\n          individual(s) from obtaining a contract or contract work, respectively, with the FDIC. All\n          contractor and subcontractor employees working on the contract shall complete electronic\n          fingerprints and will not be permitted to begin work until the results of the fingerprint\n          reviews are completed.\n\nWhen this particular task order was awarded in May 2008, the Contracting Officer did not\ninitiate action to process background investigations for contract personnel actually performing\nwork on the task assignment because he did not believe that a background investigation was\nrequired. Specifically, he thought that because this task assignment related to a receivership,\n\n\n9\n An AutoTrack background was conducted on seven employees identified in the task order. An AutoTrack is a limited criminal\ncheck that is done on an individual for a "region" of the United States only. In this situation, AutoTrack results did not reveal any\ncriminal activity for any of the seven employees in the specific region it checked.\n\n\n\n                                                                 9\n\x0cbackground investigations were not required under Circular 1610.2 beyond the background\ninvestigations that were done on the contractor and the five principals.\n\nIn addition to the contract discussed above, two contracts in our sample were RAC contracts.\nDuring our fieldwork, in discussions with SEPS and DRR Dallas officials, we learned that\n86 RAC I contract employees that were doing work for the FDIC had not had background\ninvestigations. Since that time, we understand that DRR officials in the Dallas Regional Office\nhave worked with SEPS to ensure necessary investigations were completed. DRR management\nofficials stated it was their intent for contract personnel to receive background investigations\ncommensurate with their risk-level designation. DRR has taken steps to coordinate with DOA\nSEPS to ensure that DRR contract employees meet minimum security requirements. Also, DRR\nofficials stated that RAC II contract employees will not be deployed to perform work until those\nindividuals are cleared by SEPS. DRR and DOA are working together to track background\ninvestigation submissions and clearances for both RAC I and RAC II contract employees.\nCircular 1620.2 is currently being revised, in part, to clarify the applicability of its provisions to\nDRR contracts, and we plan to provide comments on the draft circular to FDIC officials\noutlining our view that the policy should apply to DRR contractors unless the DRR Director\ndetermines that an exception is warranted.\n\nOversight Management\n\nOversight management is the management of the technical performance requirements of the\ncontract and is primarily the responsibility of the OM. Oversight management ensures that the\ncontractor delivers the required goods or performs the work according to the delivery schedule in\nthe contract and includes monitoring of funds expenditure in relation to the contract ceiling. The\nProgram Office is responsible for ensuring that adequate resources are available for monitoring\ncontractor performance. For the contracts we sampled, DRR had assigned an OM and TMs to\noversee the work on specific task assignments. The number of TMs assigned varied based on\nDRR\xe2\x80\x99s assessment of workload associated with a contract. In addition, as discussed later in the\nreport, DRR has established a group in the Dallas Regional Office to assist in the oversight\nmanagement of RAC contractors. Table 4 summarizes the FDIC\xe2\x80\x99s policy and procedures related\nto oversight management.\n\nTable 4: FDIC\xe2\x80\x99s Policy and Procedures Related to Oversight Management\n  Potential Risk Area            FDIC Policy                     Procedures\nContractors perform work that   All procurement actions require some    \xe2\x80\xa2   The Contracting Officer and the OM\ndoes not meet contract          level of administrative management          must develop a Contract\nrequirements.                   as well as performance monitoring           Management Plan (CMP) for all\n                                and management (oversight                   contracts and task orders for services\n                                management) by the Contracting              having a total estimated value of\n                                Officer and the Program Office. The         $1,000,000 and greater.\n                                extent varies based upon many           \xe2\x80\xa2   The Contracting Officer files a signed\n                                factors, including contract type, the       copy of the CMP in the official\n                                complexity of the requirement, and          contract file.\n                                the dollar amount of the contract\n                                action.\n\n\n\n\n                                                      10\n\x0cTable 4: FDIC\xe2\x80\x99s Policy and Procedures Related to Oversight Management (Continued)\n  Potential Risk Area            FDIC Policy                     Procedures\n                                                               \xe2\x80\xa2   The Contracting Officer appoints an\n                                                                   OM (and TM if required) to monitor\n                                                                   contract performance for all contracts\n                                                                   over $100,000, or other contracts\n                                                                   where appropriate.\n                                                               \xe2\x80\xa2   The OM monitors the contractor\xe2\x80\x99s\n                                                                   performance of the contract and acts\n                                                                   as a technical liaison between the\n                                                                   FDIC and the contractor and ensures\n                                                                   technical compliance with the\n                                                                   contract by all parties.\n                                                               \xe2\x80\xa2   Contracting Officers must verify that\n                                                                   the OM and TM have completed the\n                                                                   2-day in-class OM Training course.\n                                                                   If it is necessary to appoint an OM\n                                                                   and TM before completion of the\n                                                                   2-day course, they may be appointed\n                                                                   after successfully completing the\n                                                                   FDIC Web-based OM training\n                                                                   course, and being scheduled for the\n                                                                   2-day course.\n\nSource: FDIC\xe2\x80\x99s APM & PGI.\n\nAs discussed in Table 4, to be appointed as an OM or TM, the individual must attend a 2-day\nOversight Management Training Course, which is conducted quarterly through the FDIC\xe2\x80\x99s\nCorporate University (CU) and complete a Web-based Oversight Management Training course.\nThese courses are designed to cover the procurement process -- acquisition planning, award,\ncontract administration, and closeout. All of the OMs and TMs assigned to the contracts that we\nreviewed completed the required training. However, documentation related to the completion of\nthe course was missing for one employee who had taken the course. Further, one TM took the\ntraining in 1999 but neither the APM nor the PGI outlines how often training is required. The\nFDIC\xe2\x80\x99s CU is responsible for maintaining the official list of the names of all FDIC employees\nthat have completed the training. DOA also maintains a list of all class attendees for the training\nin their records to ensure OMs and TMs have met this requirement. We identified discrepancies\nwith the training list maintained by CU and the one maintained by DOA during our review.\nOfficials from both offices, CU and DOA, worked together to update their lists so that both\noffices have training lists that are accurate and complete.\n\nResponsibilities of an OM and TM are covered in the training course and are also outlined in the\nOversight Manager Appointment Memorandum and the Technical Monitor Appointment\nMemorandum, which OMs and TMs are required to sign at the time they are appointed. Our\nevaluation focused on some key responsibilities:\n\n   \xe2\x80\xa2   Read and understand contract requirements.\n   \xe2\x80\xa2   Develop and document oversight plan.\n   \xe2\x80\xa2   Ensure completion of security access and background investigations with fingerprinting\n       prior to work start date.\n\n\n                                                11\n\x0c     \xe2\x80\xa2   Provide technical oversight and direction.\n     \xe2\x80\xa2   Ensure performance is in accordance with the Statement of Work and the contract\n         standards.\n     \xe2\x80\xa2   Identify and resolve performance issues expeditiously.\n     \xe2\x80\xa2   Review personnel changes for adequacy.\n     \xe2\x80\xa2   Monitor budget by ensuring the contractor spending rate is on target and expenditures are\n         within the contract ceiling.\n     \xe2\x80\xa2   Maintain the FDIC\xe2\x80\x99s Contract Electronic File (CEFile) 10 and ensure files are complete\n         and accurate.\n     \xe2\x80\xa2   Evaluate and document contractor performance.\n     \xe2\x80\xa2   Inspect and accept deliverables.\n     \xe2\x80\xa2   Review and approve invoices.\n\nOMs and TMs we interviewed indicated that they understood contract requirements and were\nworking together to monitor contractor performance and review contractors\xe2\x80\x99 invoices. However,\nsome of the OMs and TMs acknowledged workload was a challenge. Table 5 summarizes\ninformation about the OM workload related to the contracts we sampled. Given the critical role\nof OMs and TMs, DRR needs to remain mindful about an individual\xe2\x80\x99s capacity to effectively\ncarry out assigned responsibilities.\n\nTable 5: OIG Analysis of OM Workload\n            Type of                   Number of           OMs             TMs\n           Contract                  Task Orders*        Assigned       Assigned                  Other\n      Business Information               100                 1              2\n            Services\n       Financial Advisory                   1                 1              1        OM was also TM for\n            Services                                                                  another contract.\n     Receivership Assistance                14                1              1        OM was also OM for\n           Contract I                                                                 another DRR contract.\n     Receivership Assistance                16                1              3        OM was also OM for\n           Contract II                                                                another DRR contract.\n     Temporary Employment                   21                1              1        OM was also OM for\n            Services                                                                  another contract.\nSource: OIG discussions with OMs and TMs.\n*Note: The number of task orders an individual OM can oversee depends on a number of factors including: the\nnature of the task, level of TM support, and the stage of work being done under the task order (i.e., some OMs told\nus that some of the task orders included above were still active but most of the work was complete and required less\noversight at that point).\n\nAlthough OMs and TMs were actively involved in overseeing the work performed, we found\nsome instances where policies and procedures were not being followed. As discussed later, our\nfindings were consistent with issues raised in DRR\xe2\x80\x99s internal review reports. Specifically, we\nfound:\n\n\n10\n  CEFile is a utility that automates the official contract file through the use of Documentum and the FDIC Digital\nLibrary. Contracting Officers, OMs, and TMs must ensure the contract file is maintained in CEfile and is current,\naccurate, and complete throughout the life of the contract.\n\n\n                                                        12\n\x0c\xe2\x80\xa2      CMPs were generally not prepared and not viewed by OMs as needed. A CMP was only\n       prepared for one of the five contracts we reviewed. According to the FDIC\xe2\x80\x99s APM, the CMP\n       is an important tool to ensure the OM and Contracting Officer have defined the level of\n       oversight required. Specifically, the OM, together with the Contracting Officer, are\n       responsible for determining the level of oversight that is necessary to ensure the contractor\n       makes satisfactory progress toward successful completion of the contract. To assist in\n       performing oversight activities for services, the OM should work with the Contracting\n       Officer to develop the CMP. Several OMs we interviewed did not view the CMP as a useful\n       tool, and, accordingly did not prepare one.\n\n\xe2\x80\xa2      Contract documentation was not always placed in the CEFile as required. Specifically, we\n       found only 5 OM and TM appointment letters in the CEFile for the 13 OMs and TMs that\n       were assigned to contracts reviewed (38 percent). In addition, the CMP that was prepared\n       was not placed in the file until after we met with the OM. According to the FDIC\xe2\x80\x99s APM,\n       documentation in CEFile must provide a complete history of all procurement-related actions\n       and the basis for informed decisions at each step in the acquisition and oversight\n       management process. Prior OIG reports have identified issues related to the completeness of\n       documentation in the CEFile. We recognize that DRR and DOA have emphasized the\n       importance of such documentation in formal training and through other means. While we\n       have not evaluated the underlying root cause of this problem, OMs we interviewed indicated\n       that it is difficult to keep up with the documentation requirements because the electronic\n       system is slow and not user-friendly. One OM suggested that it might be beneficial to have\n       administrative assistance to keep up with the document requirements to allow OMs more\n       time to focus on overseeing the work of the contractor.\n\nThe results of our work were consistent with recent reviews completed by DRR\xe2\x80\x99s Office of\nInternal Review. Specifically, DRR has completed two internal reviews that focused on DRR\xe2\x80\x99s\ncontract oversight management process. The first review focused on the Dallas Field Operations\nBranch, and the follow-up review was expanded to include the Washington Office. 11 The\nobjectives of the review were to: (1) verify that DRR received deliverables according to the\nappropriate provisions of the contracts; (2) confirm that payments for contract services were\nmade according to the proper and correct terms; and (3) determine whether contracts were closed\nout properly.\n\nThe results of the first review found that the contract oversight management in DRR was\nperforming in a less than adequate manner. Specifically, certain procedures and practices were\nnot being performed as required, such as (1) maintaining OM files electronically in CEFile,\n(2) documenting contractor performance reviews, and (3) using oversight manager tools such as\nOM checklists and OM invoice review checklists. In addition, OMs were not using New\nFinancial Environment (NFE) reports to monitor and manage contracts against approved levels. 12\nAccording to the internal review report, OMs were generally reviewing invoices and did\nmaintain various types of hardcopy files. DRR management developed a corrective action plan\nto address issues identified. As discussed below, one of the principal actions taken was the\ndevelopment of an OM refresher trainer course.\n\n11\n     IR Review No. 2008-004, Review of DRR Contracting Process.\n12\n     NFE is the FDIC\xe2\x80\x99s financial management system.\n\n\n                                                      13\n\x0cIn the follow-up report, 13 the Office of Internal Review found that OMs actively monitored\ncontractor performance and ensured that services and deliverables provided were acceptable,\nOMs\xe2\x80\x99 level of attention was appropriate given the nature of the services performed, and OMs\napproved invoices according to the terms of the contract. Further, DRR\xe2\x80\x99s Office of Internal\nReview noted marked improvement in the overall contract oversight management process in the\nDallas Field Office Branch since the prior review; however, exceptions were found related to\ndocumentation of the CMP and OM and TM appointment letters. Moreover, there was no\nevidence that site visitations had been conducted, and contractor performance evaluations were\nnot documented as required. Consistent with DRR Internal Review practice, management will\nprovide a corrective action plan to address the issues identified.\n\nIn addition to internal reviews conducted by DRR, DOA\xe2\x80\x99s Management Services Branch (MSB)\nis currently conducting an internal study to evaluate whether acquisition specialists are using\nCEFile as intended and required. This study/review is the first of a series of periodic reviews\nthat will be conducted by MSB at ASB\xe2\x80\x99s request. The review will focus on essential contracting\ndocumentation maintained in CEFile for all phases of the contracting process, including pre-\nsolicitation, solicitation, evaluation, selection, award and modification, administration, and\ncloseout. As appropriate, MSB plans to identify systemic trends and exceptions that may\nwarrant follow-up corrective action(s).\n\nActions Taken to Mitigate Risks Associated with Increased Contracting Activity\n\nIncreased Authorized Staff\n\nAs part of the corporate planning process, divisions and offices assess their workload needs\nbased on an analysis of existing and projected workload. The 2009 Corporate Operating Budget\nprovided for a significant increase in authorized staffing in DRR and the Legal Division to\naddress the Corporation\xe2\x80\x99s elevated resolutions and receivership management workload. DRR\xe2\x80\x99s\nincreased use of contracts also affects resource needs of ASB and SEPS.\n\nTo that end, DOA is hiring additional contract specialists in both in the Washington Office and\nthe Dallas Regional Office. Specifically, there are six Contract Specialists in the Dallas Regional\nOffice and six in the Washington Office. In addition, according to ASB officials, there is a job\nposting for three additional contract specialists for the Dallas Regional Office. Further, ASB\nofficials stated that they are currently evaluating the number of Contract Specialists that the\nFDIC will need to handle the increase in the number of contract awards based upon its current\nactivity. In evaluating staffing needs, government-wide or ASB-specific metrics do not exist for\nevaluating the number of contracting officers and contract specialists needed to handle the\nvolume of activity. ASB officials indicated that staffing needs would be evaluated periodically.\nIn addition, SEPS anticipates having a total of 17 security management specialists in the\nWashington Office and 9 in the Dallas Regional Office to manage the increase in the number of\nbackground investigations that are required due the number of contracts being awarded.\n\n\n\n\n13\n     IR Review No. 2009-001, Review of DRR Contracting Process.\n\n\n                                                      14\n\x0cCreated an OM Refresher Training Course\n\nTo address issues in the DRR Office of Internal Review\xe2\x80\x99s first report on the contracting\noversight process, DRR, in conjunction with DOA, developed a refresher course that was\nprovided to all DRR OMs and TMs in the Dallas, Texas, and Irvine, California, offices. This\ncourse was created to specifically address deficiencies noted in the report as well as review OM\nand TM roles and responsibilities. For 2009, this refresher training course is scheduled to be\nprovided eight times in Dallas and six times in Irvine, and the two divisions anticipate training\napproximately 252 OMs and TMs. Several of the OMs and TMs we interviewed had taken this\nrefresher training and generally had positive comments to make about the course. Providing\nrefresher training for DRR OMs and TMs during a time when the FDIC is increasing its\ncontracting activity should help reinforce policy and promote consistency.\n\nEstablished DRR Contract Support Functions\n\nDRR recently established two groups in the Dallas Regional Office to (1) perform oversight\nmanagement of RAC contractors and (2) assist in the various aspects of the solicitation and\naward process.\n\n\xe2\x80\xa2 The Contract Oversight Management Group was established in the third quarter of 2008 to\n  perform the contract oversight function on RAC and payroll contracts awarded by the FDIC.\n  Within the group, there are two sections consisting of section chiefs, 12 OMs, and 4\n  technicians. Staffing for one section is nearly complete, and DRR is working to fill vacancies\n  related to the second section.\n\n\xe2\x80\xa2 The Contracts Support Group was established in August 2008 to assist in the contracting\n  effort, specifically, case writing for RAC and payroll contracts, technical evaluation panel\n  participation, statement of work preparation, obtaining board approval for contracts over\n  $20 million, and assisting with special projects related to contracting activities. One of the\n  goals of this group is to perform contract quality assurance; however, this function has not yet\n  started. Currently, there are six employees in this group, and five additional positions have\n  been announced. DRR has also established a Contract Support Unit in the West Coast\n  Temporary Satellite Office and plans to set up a similar unit in the new East Coast Temporary\n  Satellite Office.\n\nEstablished Corporate-level Contracts Project Management Office\n\nIn addition to efforts ongoing within DOA and DRR, on a broader-level, the FDIC is establishing\nvarious project management offices (PMOs), including a Contracting PMO, to help manage the\nestablishment of new programs and expansion of existing program activities, such as contracting\nto address current workload issues. The purpose of this Contracting PMO is to provide accurate\nand timely information to FDIC executive management on the effectiveness of the FDIC\xe2\x80\x99s\ninternal controls and business processes regarding contracting, identify and report on significant\nrisks, develop mitigation plans for significant risks, and provide resource impact updates. The\nDirector, OERM, will serve as the executive sponsor of this PMO, which includes individuals\n\n\n\n\n                                                15\n\x0cfrom DOA, Division of Finance, DRR, and the Legal Division. OERM has also initiated a\nprogram to conduct quarterly invoice reviews.\n\nCONCLUSION AND MATTERS FOR CONTINUED ATTENTION\nCollectively, the established controls and all of the steps being taken are positive and provide\nevidence of management\xe2\x80\x99s attention to monitor and mitigate risks associated with the significant\nincrease in contracting activity that has occurred since 2007 and is expected to continue for the\nforeseeable future. However, FDIC management and those involved in the process must remain\nvigilant to ensure that contractors perform work consistent with the contract terms and contract\ndocumentation is kept up-to-date to ensure there is a complete history of contract-related\ndecisions and outcomes. Additionally, the success of the FDIC\xe2\x80\x99s contract administration and\noversight management is dependent on maintaining sufficient resources to address contracting\nadministration needs and ensuring individuals are fully trained and understand their\nresponsibilities. Because DRR and DOA have taken or are planning to take steps to address\nissues we identified during our review, we are not making any recommendations. However, to\nmitigate risks associated with the surge in contracting activity going forward, management\nshould:\n\n\xe2\x80\xa2   Ensure that policies remain current and reflect contracting needs as they may evolve. For\n    instance, DOA may determine that its policies with regard to CMP need to be modified to\n    provide a more useful mechanism for contract oversight planning. Additionally, the results\n    of DOA\xe2\x80\x99s MSB study of CEFile documentation may result in suggestions that impact policy\n    that will need to be captured to ensure process improvements are readily made.\n\xe2\x80\xa2   Ensure that contractors comply with minimum ethical standards and appropriate security\n    requirements by following through on efforts to ensure background investigations are\n    appropriately initiated. Given the sensitive nature of information that some contractors\n    handle, the FDIC needs to ensure that contractor personnel meet minimum security\n    requirements before they are allowed to begin work.\n\xe2\x80\xa2   Continue to ensure that staff involved in the contracting process, especially program office\n    personnel, complete necessary training and understand the importance of their role in\n    administering contracts.\n\xe2\x80\xa2   Continue to conduct periodic internal reviews focused on contract oversight in order to\n    readily identify issues and take corrective action before issues become widespread.\n\xe2\x80\xa2   Continue to periodically evaluate staffing needs to ensure DOA, the Legal Division, and\n    DRR have the resources necessary to effectively carry out contracting policies and\n    procedures, monitor compliance, and oversee the work performed by the contractors.\n\xe2\x80\xa2   Sustain management attention on contracting activity. The Contracting PMO and OERM\n    invoice review program should play a pivotal role in assessing risks and monitoring the\n    effectiveness of controls on a continuing basis.\n\nMoreover, although we did not evaluate controls related to the solicitation and award of\ncontracts, the FDIC needs to remain vigilant in implementing controls associated with those\nprocesses to in order to mitigate the risk that procedures -- including those established for\nexpedited or emergency situations -- are unnecessarily bypassed for the sake of expediency.\n\n\n\n\n                                                16\n\x0c                                                                                      Appendix I\n\n\n                  OBJECTIVE, SCOPE, AND METHODOLOGY\nThe objective of the evaluation was to identify and evaluate controls in place to address the risks\npresented by a significant increase in resolution and receivership-related contracting activity.\nFor the purpose of this evaluation, we focused on post-contract award risks because at the time\nwe were planning our work, DRR was relying on contracts that were already in place.\nAccordingly, we focused on potential risks associated with fitness and integrity requirements, the\nbackground investigation process, and the FDIC\xe2\x80\x99s oversight management function. Initially, the\nscope of our review was to include Legal Division contracting activity, but we decided to focus\nthe review on DRR contracting activity due to the extent and materiality of DRR-related\ncontracting. To address our objective we:\n\n\xe2\x80\xa2   Reviewed prior OIG reports and GAO reports to identify areas of potential risk associated\n    with contracting activity. Although we recognize that the organizations and circumstances\n    differ, we also reviewed RTC OIG semiannual reports to identify contracting issues that\n    existed during the last period of significant resolution activity.\n\n\xe2\x80\xa2   Reviewed the GAO report entitled, Framework for Assessing the Acquisition Function at\n    Federal Agencies, in order to help us assess the FDIC\xe2\x80\x99s contract administration efforts. GAO\n    developed this framework to enable high-level, qualitative assessments of the strengths and\n    weaknesses of the acquisitions function at federal agencies.\n\n\xe2\x80\xa2   Reviewed relevant FDIC policies and procedures, including:\n\n           o Circular 3700.16, FDIC APM, dated August 22, 2008.\n           o Circular 1610.2, Security Policy and Procedures for FDIC Contractors and\n             Subcontractors, dated August 1, 2003.\n\n\xe2\x80\xa2   Interviewed DRR and DOA officials in both Washington, DC, and Dallas, Texas, involved in\n    awarding contracts and overseeing DRR contractors to understand their respective roles,\n    workload, and actions being taken or planned by the FDIC to mitigate risks associated with\n    the increase in contracting activity. We also interviewed officials in OERM and the Legal\n    Division.\n\n\xe2\x80\xa2   Reviewed DRR Internal Review No. 2008-004 entitled, Review of DRR Contracting Process,\n    dated October 23, 2008 and the response to that report, DRR Contracting Process Corrective\n    Action Plan, dated November 26, 2008. We also reviewed DRR Internal Review No. 2009-\n    001, Review of DRR Contracting Process dated June 1, 2009.\n\n\xe2\x80\xa2   Reviewed requirements of the FDIC Conflicts Committee, chaired by a Legal Division,\n    official and specific conflicts that were identified during 2008.\n\n\xe2\x80\xa2   Judgmentally selected five DRR contracts from a Purchase Order Summary Report (as\n    summarized in Table 6) in order to evaluate the implementation of controls related to fitness\n    and integrity standards, background investigations, and oversight management. Specifically,\n\n\n\n\n                                                17\n\x0c                                                                                 Appendix I\n\n   in addition to discussions with OMs and TMs about their workload and approach for\n   overseeing contracts, we determined whether:\n\n          o Background investigations had been initiated when required.\n          o OMs and TMs assigned to oversee these contracts had completed required\n            training.\n          o The CEFile included key documents such as the OM/TM appointment letters and\n            the CMP.\n\n                     Table 6: Contracts Sampled by OIG\n                      Sample No.                RBOA\n                            1        Business Information Services\n                            2         Financial Advisory Services\n                            3           Receivership Assistance\n                                           Contract (RAC I)\n                            4           Receivership Assistance\n                                          Contract (RAC II)\n                            5           Temporary Employment\n                                                Services\n                      Source: Purchase Order Summary Report for 2008.\n\n\n\nWe performed our evaluation between December 2008 and June 2009 in accordance with the\nQuality Standards for Inspections.\n\n\n\n\n                                               18\n\x0c                                           Appendix II\n\n\n                  GLOBAL E-MAIL \xe2\x80\x93\nGUIDELINES FOR INTERACTING WITH FDIC CONTRACTORS\n\n\n\n\n                       19\n\x0c'